The Raspberry Robin worm uses new tactics to evade detection and seeks to confuse security experts if it runs in a sandbox or notices debugging tools.

To do this, the malware uses fake payloads, Trend Micro experts say.

Let me remind you that Raspberry Robin is a dropper that has the functionality of a worm, the authors of which sell access to compromised networks to extortion groups and operators of other malware. Experts have previously associated it with hack groups such as FIN11 and Clop, as well as payload distributions of Bumblebee, IcedID and TrueBot.

The first Raspberry Robin was found by analysts from Red Canary. In the spring of this year, it became known that the malware is distributed using USB drives (it infects devices with malware after clicking on the .LNK. file) and has been active since at least September 2021. The cybersecurity company Sekoia even observed that back in November last year, malware used Qnap NAS devices as control servers.

It was previously noted that the malware is heavily obfuscated to protect its code from antiviruses and researchers, and also has several layers containing hard-coded values to decrypt the next one.

To make things even more difficult for security professionals, Raspberry Robin recently began using different payloads depending on how it runs on the device, Trend Micro researchers now report. So, if the malware detects that it is running in a sandbox or they try to analyze it, the loader resets the fake payload. If nothing suspicious is found, the real Raspberry Robin malware is launched.

The fake fake payload has two additional layers: a shellcode with an embedded PE file and a PE file with the MZ header and PE signature removed. Once executed, it examines the Windows registry for signs of infection and then proceeds to collect basic information about the system.

The fake then tries to download and run the BrowserAssistant adware to make the researchers think it is the final payload. In fact, in truly infected systems that did not arouse suspicion in the malware, a real Raspberry Robin payload is loaded with a built-in customized Tor client for communication. Trend Micro’s report highlights that even with the fake payload being used as a distraction, the real payload is still packaged with ten levels of obfuscation, making it much more difficult to analyze.

The real payload is also said to check if the user is an administrator on startup, and if not, it uses the ucmDccwCOMMethod privilege escalation technique in UACMe to gain administrator rights. The malware also makes changes to the registry to maintain its presence in the system between reboots, using two different methods for this (for a user with and without administrator rights).

The malware then attempts to connect to hard-coded Tor addresses and establishes a communication channel with its carriers. However, the Tor client process uses names that mimic standard Windows system files, including dllhost.exe, regsvr32.exe, and rundll32.exe.

It is noteworthy that the main procedures are performed within Session 0, that is, in a specialized session reserved by Windows exclusively for services and applications that do not need or should not interact with the user.

Also Raspberry Robin still copies itself to any connected USB drives to infect other systems. At the same time, the researchers believe that the current campaign is more of a reconnaissance operation and an attempt to evaluate the effectiveness of new mechanisms, and not the initial stage of real attacks.

Let me remind you that we also wrote that Microsoft Links Raspberry Robin Worm to Evil Corp.

The post Raspberry Robin Worm Uses Fake Malware to Trick Security Researchers appeared first on Gridinsoft Blog.

Information security experts warned of an increase in the number of infections with the new version of TrueBot, primarily targeting users from Mexico, Brazil, Pakistan and the United States.

According to Cisco Talos, malware operators have now moved from using malicious emails to alternative delivery methods, including exploiting an RCE vulnerability in Netwrix Auditor, as well as using the Raspberry Robin worm.

Let me remind you that experts attribute the authorship of TrueBot to the Russian-speaking hack group Silence, which is known due to the major robberies of financial institutions.

As reported now, the attackers not only switched to new methods of delivering malware, but also began to use the custom tool Teleport to steal data, and also distribute the Clop encryptor, which is usually used by hackers from the TA505 group associated with another Russian-speaking hack group – FIN11.

Cisco Talos researchers write that they discovered several new attack vectors back in August 2022. According to their observations, Silence participants introduced their malware into 1500 systems around the world, “bringing with them” shellcodes, Cobalt Strike beacons, Grace malware, Teleport data theft tool and Clop ransomware.

It is noted that in most of the attacks detected during the period from August to September, hackers infected the systems of victims of Truebot (Silence.Downloader) using the critical vulnerability of Netwrix Auditor servers, tracked as CVE-2022-31199.

In October 2022, hackers completely switched to using malicious USB drives and the Raspberry Robin worm, which delivered IcedID, Bumblebee, and Truebot payloads to victims’ machines.

Let me remind you that in the October Microsoft report, this worm was associated with the spread of the Clop ransomware and the DEV-0950 hack group, whose malicious activity is associated with the activity of the FIN11 and TA505 groups.

As Cisco Talos now notes, Truebot operators used Raspberry Robin to infect more than 1,000 hosts, many of which were not accessible via the Internet. Most of the victims of hackers are in Mexico, Brazil and Pakistan.

In November, hackers targeted Windows servers, whose SMB, RDP, and WinRM services can be found over the Internet. The researchers counted more than 500 cases of such infections, about 75% of them in the United States.

Analysts remind that in fact Truebot is a first-level module that collects basic information about the victim’s system and takes screenshots. It also extracts information about Active Directory, which helps hackers plan their next steps after an infection.

The attacker’s command and control server can then instruct Truebot to load shellcode or DLLs into memory, execute additional modules, remove itself, or load DLLs, EXEs, BATs, and PS1 files.

Also, after being compromised, hackers use Truebot to inject Cobalt Strike beacons or Grace malware (FlawedGrace, GraceWire) into victim systems. The attackers then deploy Teleport, which Cisco describes as a new custom tool written in C++ that helps to steal data silently.

The communication channel between Teleport and the C&C server is encrypted. Operators can limit download speeds, filter files by size (to steal more), or remove payloads. Teleport is also capable of stealing files from OneDrive folders, collecting victim mail from Outlook, and looking for specific file extensions.

It is noted that after lateral movement, infection of the maximum number of systems using Cobalt Strike and data theft, in some cases hackers deploy the Clop ransomware already mentioned above in the systems of victims.

The post New Version of Truebot Exploits Vulnerabilities in Netwrix Auditor and Raspberry Robin Worm appeared first on Gridinsoft Blog.

Let me remind you that the first Raspberry Robin malware was found by analysts from Red Canary. In the spring of this year, it became known that the malware has the capabilities of a worm, spreads using USB drives, and has been active since at least September 2021. The cybersecurity company Sekoia even observed that back in November last year, malware used Qnap NAS devices as control servers.

It’s also worth noting that during the summer, Microsoft researchers discovered the presence of Raspberry Robin on the networks of hundreds of organizations from various industries, some of which were in the technology and manufacturing sectors. At that time, the targets of the attackers remained unknown, since at that time they did not yet have access to the networks of the victims.

And also, as we already reported, Microsoft Links Raspberry Robin Worm to Russian Grouping Evil Corp.

Over the past months, the worm has reportedly spread to networks that now belong to nearly 1,000 organizations. In the past 30 days alone, Microsoft analysts have seen Raspberry Robin payloads on 3,000 devices in nearly 1,000 organizations.

Moreover, according to experts, Raspberry Robin operators have now become access brokers, that is, they sell access to networks of hacked companies to other criminals. For example, the malicious activity of the aforementioned DEV-0950 group intersects with the activity of the financially motivated hack groups FIN11 and TA505, which are deploying the Clop ransomware in their target networks.

Raspberry Robin and Clop Attack Scheme

Moreover, due to Raspberry Robin, other threats also penetrated victims’ devices, including payloads of malware such as IcedID, Bumblebee and TrueBot.

Analysts summarize that from a widespread worm that did not show any activity after infection, Raspberry Robin has become one of the largest malware distribution platforms.

So, earlier researchers have already noticed that with the help of Raspberry Robin, the FakeUpdates (aka SocGholish) backdoor, which experts associate with the Evil Corp hacker group, was delivered to victims’ devices. Now there are much more malware that penetrates the systems of victims because of this worm.

The post Raspberry Robin Worm Operators Now Trade Access appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that The Austrian Company DSIRF Was Linked to the Knotweed Hack Group and the Subzero Malware, and also that Experts Find Similarities Between LockBit and BlackMatter.

Let me remind you that last month, researchers discovered the presence of the Raspberry Robin worm in the networks of hundreds of organizations from various industries, some of which worked in the technology and manufacturing sectors. Although Microsoft observed how the malware binds to addresses on the Tor network, the attackers’ targets remained unknown, as they did not yet have access to their victims’ networks.

Raspberry Robin malware was first found by analysts from Red Canary. In the spring of this year, it became known that the malware has the capabilities of a worm, spreads using USB drives, and has been active since at least September 2021. Security company Sekoia even observed how malware used Qnap NAS devices as control servers back in November last year.

While the hackers did nothing, Microsoft labelled the campaign as high-risk, given that attackers could download and deploy additional malware on victims’ networks at any time and elevate their privileges.

Now, researchers have finally seen the first signs of how the hackers intend to exploit the access they have gained to their victims’ networks with the Raspberry Robin.

The aforementioned DEV-0206 is the code name for an access broker that deploys the FakeUpdates malware on victim machines, forcing the victim to download fake browser updates as ZIP archives. This malware essentially works as a conduit for other malicious campaigns and attackers who use access acquired from DEV-0206 to spread their payloads. So, the noticed Cobalt Strike loaders, apparently, are associated with the DEV-0243 group, better known as Evil Corp.

In June 2022, cybersecurity experts noticed that Evil Corp switched to using the LockBit ransomware to avoid sanctions previously imposed by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC). It was assumed that the use of other people’s resources and this new tactic would allow hackers to spend the time saved on developing their own malware to expand their operations.

The post Microsoft Links Raspberry Robin Worm to Evil Corp appeared first on Gridinsoft Blog.